Sitting hear on a cold, snowy day thinking about secure design principles. These are key to think about during the design phase of a feature/project?

  • Total Mediation – every access to every resource must be validated every time
  • Economy of Mechanism – keep it as simple as possible
  • Fail-Safe – in case of failure, default to a secure state
  • Defense in Depth – layer security
  • Open Design – the security of a system should not be dependent on secrecy of its design or implementation
  • Psychological Acceptability – security mechanisms must not make resources more difficult to access then if they weren’t there
  • Least Privilege – limit access to a system/feature to only those that *need* to access it for the shortest duration possible
  • Minimize attack surface – reduce risk by reducing the attack surface area
  • Secure Defaults – default to a secure state

Any others you can think of?